On March 5, the National Telecommunications and Information Administration (“NTIA”) released a Notice in the Federal Register seeking public comment on the types of consumer privacy issues that should be addressed in voluntary industry codes of conduct. NTIA published the Notice following the recent release of the White House’s privacy white paper setting out a Consumer Privacy Bill of Rights.
The Consumer Privacy Bill of Rights, which was released on February 23, sets forth a comprehensive blueprint to improve consumers’ privacy protections in the digital age while also promoting the continued growth of Internet commerce. The Consumer Privacy Bill of Rights contains 7 broad principles that consumers should be able to expect from companies that collect, use, and disclose their personal data. The principles contained in the Consumer Privacy Bill of Rights are:
- Individual control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Bill of Rights.
In conjunction with the Administration’s plans to work with Congress to enact legislation based on the Consumer Privacy Bill of Rights, NTIA will soon be convening interested stakeholders, including industry players, privacy advocates, consumer groups, and technology experts to create and implement voluntary, enforceable codes of conduct to apply the rights in specific business contexts. If a company that has committed to adhering to the codes of conduct subsequently violates them, the company could be held responsible under Section 5 of the Federal Trade Commission Act.
In preparation for the multi-stakeholder gatherings in which the codes of conduct will be discussed, NTIA seeks comment on a number of topics in the Notice, including:
- The issues that should be addressed through the privacy multi-stakeholder process;
- Special considerations regarding the collection and use of information, and in particular location-based information, through mobile applications;
- Cloud computing services;
- What accountability mechanisms could be used to demonstrate compliance with the Consumer Privacy Bill of Rights;
- Online services directed to children under 13, as well as teens between 13 and 18 years of age;
- Trusted identity systems;
- The use of multiple technologies (e.g., browser cookies, local shared objects, and browser cache) to collect personal data; and
- How the multi-stakeholder process should be structured to ensure openness, transparency, and consensus-building.
NTIA stressed that this list is not exhaustive and that it welcomes comments on any topics relevant to the Privacy Bill of Rights.
Comments on the Notice are due by March 26.
